RE: Rules

• From: Troy Radtke <TRadtke@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 1 Oct 2004 09:17:04 -0500

Hi Tom,

Everything has it's place in a network.  Be it an ISA box, a PIX, or a
UNIX/Windows box with IPCHAINS/ICS and firewall.  Best tool for the job is
always a good way to do things.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, October 01, 2004 8:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Rules


http://www.ISAserver.org

Hi Troy,

Bingo, Bango, Bongo! You get the brass ring on that one.

What amazes me is that people pay good money for the ISA firewall and
then dumb it down to a PIXoid or Netscream like packet filter box. :(

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] 
Sent: Friday, October 01, 2004 8:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Rules


http://www.ISAserver.org

Security vs. ease of use..... If the point is to be ultra secure, then
block
all.  If the point is the hacker/virus speed bump, then open all.....

Personally, it's not even a question.... If you're going to open
everything
up, Black Ice Defender and ICS would have been a much cheaper
solution...
=?)

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Friday, October 01, 2004 12:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Rules


http://www.ISAserver.org

Hear-hear.
The idea that "I'll open everything and only block what I need to" will
keep
you hopping as you try to keep up with the 1d10t applications that think
they're smarter than you (Kazaaa, BearShare, etc.).
Lock it down and only open what you need to.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 30 Sep 2004 18:53:58 -0700
 "Thor" <thor@xxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Best practices would dictate that you only allow what is needed.
Everything
should be blocked by default, and only the services needed allowed- and
even
then, they should only be allowed for those who need it.

t

----- Original Message ----- From: Aman Bedi
To: [ISAserver.org Discussion List]
Sent: Thursday, September 30, 2004 6:08 PM
Subject: [isalist] RE: Rules


http://www.ISAserver.org

I wont have any anonymous rules coz I wanna force firewall clients
I wanted to know , whether it is right to open everything going out and
just
block stuff not needed..OR
Should we block everything going out and just open whats needed ?


Also, is there a need to make servers like internal webservers, domain
controllers, exchange etc any kind of client. Is it ok if I just make
all my
servers as SECURENAT (no proxy and no firewall clients on any servers )
? if
the servers are not initiating any connections. is there a need for them
to
be a client ? I am  a littler confused on this..

Thanks

Aman Bedi | Systems/Network Administrator
54 West 39th Street, 4th Floor, New York, NY 10018 | Fax +1(212)
764-0269 |
Phone +1(212) 278-0178 ext 234 | www.scanbuy.com
PRIVILEGED & CONFIDENTIAL
The information contained in this email message is intended only for use
of
the person or entity to whom it is addressed. The contained information
is
CONFIDENTIAL and LEGALLY PRIVILEGED and exempt from disclosure under
applicable laws. If you read this message and are not the addressee, you
are
notified that use, dissemination or reproduction of this message is
prohibited. If you have received this message in error, please notify
the
sender immediately.
------------------------------------------------------------------------
----
------------------------------------------------------------------------
----
-------------------------------------



From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, September 30, 2004 7:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Rules

http://www.ISAserver.org
Hi Aman,

They way I do it when an organization doesn't use Least Privilege:

Deny Rules first
Anonymous Rules next
Authenticated Rules

HTH,
Tom



From: Aman Bedi [mailto:gurkirpal.bedi@xxxxxxxxxxx]
Sent: Thursday, September 30, 2004 5:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Rules

http://www.ISAserver.org
Hi all

'I know its not the best practice but is it ok.

to have ALL open rules for outgoing traffic ..and
Rules to block things which I don't want like FTP, or messengers , etc
etc
above that rule

And for incoming ..
Block all incoming traffic rule (the default rule)
And rules to allow stuff above that

Like

------------------------------------------------------------------------
----
---------------------------------------
Rule 1 ------------ block outgoing this
Rule 2 -------------block outgoing this
Rule 3-------------block outgoing ths
.
..
ALL OPEN (int to ext) ----ALLOW ----ALL TRAFFIC -----INTERNAL
--------EXTERNAL

Rule 10 .......Allow incoming this
Rule 11.......Allow incoming this
Rule 12.......Allow incoming this
.
.
Last Deafult Rule -------DENY ----ALL TRAFFIC -----ALL NETWORKS---ALL
NETWORKS
------------------------------------------------------------------------
----
-----------------------------------------------



Aman Bedi | Systems/Network Administrator (MCP, MCSD, MCSA 2000, MCSA
2003)
54 West 39th Street, 4th Floor, New York, NY 10018 | Fax +1(212)
202-4318 |
Phone +1(212) 278-0178 ext 234 | www.scanbuy.com
PRIVILEGED & CONFIDENTIAL
The information contained in this email message is intended only for use
of
the person or entity to whom it is addressed. The contained information
is
CONFIDENTIAL and LEGALLY PRIVILEGED and exempt from disclosure under
applicable laws. If you read this message and are not the addressee, you
are
notified that use, dissemination or reproduction of this message is
prohibited. If you have received this message in error, please notify
the
sender immediately.
------------------------------------------------------------------------
----
------------------------------------------------------------------------
----
-------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gurkirpal.bedi@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Rules
• » RE: Rules
• » RE: Rules
• » RE: Rules
• » RE: Rules
• » RE: Rules
• » RE: Rules
• » RE: Rules

1. Home
2. isalist
3. Archive
4. 10-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---